Risk Management in Strategy

Climate Change Risk Assessments 🌎 Climate-related financial disclosure requirements are expanding across jurisdictions, increasing expectations for companies to assess and report on climate-related risks and opportunities. A structured climate change risk assessment (CCRA) is central to meeting these evolving regulatory demands. CCRAs evaluate both physical risks—such as extreme weather events, water stress, and sea level rise—and transition risks, including policy changes, carbon pricing, and shifts in market or technology landscapes. They also help identify potential opportunities linked to decarbonization, energy efficiency, and new revenue models. Scenario analysis is a core component. It enables companies to test strategic resilience under divergent climate pathways, including high-emissions futures and low-emissions transitions aligned with the Paris Agreement. Most regulatory frameworks now require both perspectives. Benefits of a robust CCRA include improved risk management, reduced exposure to disruptions, and strengthened alignment with investor expectations. Insights from these assessments can be embedded into enterprise risk systems, capital planning, and strategic roadmaps. Key challenges include short-term thinking in risk registers, limited access to forward-looking climate data, and misalignment between climate risk analysis and existing sustainability goals. These gaps can reduce the effectiveness of disclosures and slow organizational response. Recommended approaches include leveraging established scenarios (e.g. IPCC, IEA), integrating outputs into ERM systems, using frameworks like ISSB and TCFD for structure, and applying competitive benchmarking to validate assumptions. Cross-functional engagement improves practical relevance. As regulatory standards converge, CCRAs are becoming a baseline expectation. Those who develop structured, forward-looking assessments will be better positioned to adapt business models, manage uncertainty, and align with capital markets under increasing climate scrutiny. Source: Ramboll #sustainability #sustainable #business #esg #climatechange #risk

🔥 Climate risks are no longer abstract—they’re disrupting businesses, communities, and economies right now. The World Economic Forum’s 2024 report, "The Cost of Inaction: A CEO Guide to Navigating Climate Risk", delivers a sobering message: ignoring climate risks isn’t just irresponsible—it’s economically devastating. 🌡️ Key insights from the report: 💥 Climate-related disasters have caused $3.6 trillion in damages since 2000, exposing critical vulnerabilities in supply chains and infrastructure. 📉 Physical risks could put 5-25% of EBITDA at risk for some sectors by 2050 under a 3°C warming trajectory. 💸 Transition risks, like carbon pricing and changing regulations, could impact 50% of EBITDA in energy-intensive industries by 2030. 🌱 Every $1 invested in climate adaptation yields $2-$19 in avoided costs, while green markets are projected to grow from $5 trillion in 2024 to $14 trillion by 2030. 💡 My reflections: 🔄 Resilience isn’t enough anymore. Too often, we focus on simply "weathering the storm" of climate risk. But true leadership is about rebuilding something better—rethinking markets, redesigning business models, and creating solutions that lead entire industries forward. 🌍 Supply chain fragility is the Achilles’ heel of the global economy. A single extreme weather event can cascade across operations, grinding everything to a halt. Climate-resilient supply chains can’t just be about survival—they must be radically adaptive, decentralized, and built to thrive under disruption. 📊 Climate risk is fundamentally redefining the concept of value. Businesses stuck chasing quarterly earnings are missing the bigger picture. In a world of rising costs and irreversible climate impacts, long-term value will belong to those who embed sustainability, resilience, and equity into their strategies. The time for cautious, incremental steps has passed. How are we using this moment to transform the way we work, innovate, and lead? #ClimateAction #Sustainability #Resilience #Leadership #Innovation

Are you aware of the Temporary Works Forum (TWf) latest guidance on Lightweight Fencing AKA 'Heras' fencing? It advises it should no longer be used for site boundaries where a requirement for security, pedestrian crowd loading resistance, edge protection or impact provision is needed. It's a bit techy and probably boring to most but I thought I would share some thoughts around temporary fencing and try to highlight three key flaws we see across the industry. Flaw #1: Misleading Wind Speed Ratings The Critical Oversight: Many systems are marketed with a stated wind speed they can resist. What is often not made clear is that this figure may represent the point of incipient failure—calculated with a Factor of Safety (FoS) of 1.0. In engineering, this is the limit state, not a safe working capacity. Accepted best practice for temporary works, guided by standards like BS 5975, requires a minimum Factor of Safety of 1.5 against overturning. This factor is a crucial buffer for dynamic wind gusts and unforeseen site variations. Relying on a system with an effective FoS of 1.0 offers no such safety margin. Furthermore, these generic ratings are inadequate without a site-specific assessment to BS EN 1991-1-4 (the Eurocode for wind actions) to determine the actual wind pressures your specific location will face. Flaw #2: Ignoring Foreseeable Pedestrian Loads The Critical Oversight: A fence must function as a physical barrier, not just a visual one. British Standard BS 1722-14 specifies that even general-purpose fences should be designed to resist a pedestrian load of 0.36 kN/m, while security fences require a resistance of 0.74 kN/m. Despite this, competitor calculations we have reviewed make no provision for pedestrian or personnel loading. They are designed solely for wind. This is a significant omission. In the event of crowd pressure or even a worker leaning against the fence with equipment, a system not designed for these foreseeable loads is not truly fit for purpose. Flaw #3: Incomplete Structural Analysis The Critical Oversight: A calculation is only as reliable as its assumptions. We have identified several problematic practices in competitor designs: Asymmetrical Self-Weight Logic: A fence's self-weight may be included to help resist overturning from wind in one direction, but the analysis often fails to consider that this same weight can increase the overturning moment when the wind blows from the opposite side. This is a fundamental error in structural analysis. Lack of Component Verification: Analysis frequently stops at overall stability (tipping or sliding). It fails to demonstrate that the individual components—the posts, panels, and crucially, the levelling mechanisms—are strong enough to transfer the calculated forces and fully mobilise the kentledge. Many systems use simple friction clamps, which are susceptible to slip and cannot offer the same verifiable strength as a purpose-designed connection. Feel free to comment 💡

Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture

Many mergers and acquisitions overlook a crucial detail. Insurance. It's not just a line item. It's a potential risk to your entire deal. When you merge or acquire, you may inherit all existing policies, good or bad. Often, these policies are outdated. Or worse, they're insufficient. Or your current insurance may not cover the new risk properly. Imagine closing a deal only to discover hidden liabilities. Or unexpected coverage gaps. That's a nightmare for the economics of the deal. And your reputation. So, what's the solution? Involve your insurance advisor early. Much earlier than you think is necessary. Conduct a thorough audit of all existing policies. Assess their adequacy. And their alignment with your new business goals. This proactive approach isn't just smart. It's essential. It saves you from unexpected costs. And ensures a smoother integration. Don't let insurance be your blind spot. Make it a strategic priority in every merger and acquisition.

In 2016, Colgate faced a significant challenge in India as Patanjali's Ayurvedic products rapidly gained popularity. Colgate, holding a dominant 55.6% market share in the toothpaste category, experienced a 1.8% decline in market share and a 4% drop in sales volume. Patanjali, on the other hand, quickly grew into a formidable competitor, evolving into a ₹10,000 crore giant within a decade. To counter Patanjali's rise, Colgate launched Vedshakti, a herbal toothpaste line, in an attempt to align with the Ayurvedic trend. However, this move backfired. Colgate's brand identity, long associated with "doctor-recommended" solutions for whiter teeth, conflicted with the Ayurvedic positioning. By venturing into Ayurveda, Colgate inadvertently endorsed the very essence of Patanjali's brand, which was already seen as the authentic leader in the Ayurvedic space. This strategic misalignment not only diluted Colgate's core brand values but also confused consumers who began to question Colgate’s sudden shift from science to Ayurveda. The result? Patanjali continued to capture more market share, while Vedshakti failed to make a significant impact. Colgate's own CEO later acknowledged that this misstep cost them dearly in terms of market position. Key Takeaway: This case serves as a compelling example of the risks of diverging from a strong brand identity. When a market leader like Colgate steps into a rival's territory without clear differentiation and understanding of consumer perception, it risks not only losing its own loyal customers but also reinforcing the rival’s position. The lesson here is clear: Stay true to your brand’s core strengths, and be cautious of competing on your competitor’s terms rather than your own. Thoughts? #FMCG #branding #Healthcare #brand #HUL #Patanjali

🚨 AI Privacy Risks & Mitigations Large Language Models (LLMs), by Isabel Barberá, is the 107-page report about AI & Privacy you were waiting for! [Bookmark & share below]. Topics covered: - Background "This section introduces Large Language Models, how they work, and their common applications. It also discusses performance evaluation measures, helping readers understand the foundational aspects of LLM systems." - Data Flow and Associated Privacy Risks in LLM Systems "Here, we explore how privacy risks emerge across different LLM service models, emphasizing the importance of understanding data flows throughout the AI lifecycle. This section also identifies risks and mitigations and examines roles and responsibilities under the AI Act and the GDPR." - Data Protection and Privacy Risk Assessment: Risk Identification "This section outlines criteria for identifying risks and provides examples of privacy risks specific to LLM systems. Developers and users can use this section as a starting point for identifying risks in their own systems." - Data Protection and Privacy Risk Assessment: Risk Estimation & Evaluation "Guidance on how to analyse, classify and assess privacy risks is provided here, with criteria for evaluating both the probability and severity of risks. This section explains how to derive a final risk evaluation to prioritize mitigation efforts effectively." - Data Protection and Privacy Risk Control "This section details risk treatment strategies, offering practical mitigation measures for common privacy risks in LLM systems. It also discusses residual risk acceptance and the iterative nature of risk management in AI systems." - Residual Risk Evaluation "Evaluating residual risks after mitigation is essential to ensure risks fall within acceptable thresholds and do not require further action. This section outlines how residual risks are evaluated to determine whether additional mitigation is needed or if the model or LLM system is ready for deployment." - Review & Monitor "This section covers the importance of reviewing risk management activities and maintaining a risk register. It also highlights the importance of continuous monitoring to detect emerging risks, assess real-world impact, and refine mitigation strategies." - Examples of LLM Systems’ Risk Assessments "Three detailed use cases are provided to demonstrate the application of the risk management framework in real-world scenarios. These examples illustrate how risks can be identified, assessed, and mitigated across various contexts." - Reference to Tools, Methodologies, Benchmarks, and Guidance "The final section compiles tools, evaluation metrics, benchmarks, methodologies, and standards to support developers and users in managing risks and evaluating the performance of LLM systems." 👉 Download it below. 👉 NEVER MISS my AI governance updates: join my newsletter's 58,500+ subscribers (below). #AI #AIGovernance #Privacy #DataProtection #AIRegulation #EDPB

This new white paper by Stanford Institute for Human-Centered Artificial Intelligence (HAI) titled "Rethinking Privacy in the AI Era" addresses the intersection of data privacy and AI development, highlighting the challenges and proposing solutions for mitigating privacy risks. It outlines the current data protection landscape, including the Fair Information Practice Principles, GDPR, and U.S. state privacy laws, and discusses the distinction and regulatory implications between predictive and generative AI. The paper argues that AI's reliance on extensive data collection presents unique privacy risks at both individual and societal levels, noting that existing laws are inadequate for the emerging challenges posed by AI systems, because they don't fully tackle the shortcomings of the Fair Information Practice Principles (FIPs) framework or concentrate adequately on the comprehensive data governance measures necessary for regulating data used in AI development. According to the paper, FIPs are outdated and not well-suited for modern data and AI complexities, because: - They do not address the power imbalance between data collectors and individuals. - FIPs fail to enforce data minimization and purpose limitation effectively. - The framework places too much responsibility on individuals for privacy management. - Allows for data collection by default, putting the onus on individuals to opt out. - Focuses on procedural rather than substantive protections. - Struggles with the concepts of consent and legitimate interest, complicating privacy management. It emphasizes the need for new regulatory approaches that go beyond current privacy legislation to effectively manage the risks associated with AI-driven data acquisition and processing. The paper suggests three key strategies to mitigate the privacy harms of AI: 1.) Denormalize Data Collection by Default: Shift from opt-out to opt-in data collection models to facilitate true data minimization. This approach emphasizes "privacy by default" and the need for technical standards and infrastructure that enable meaningful consent mechanisms. 2.) Focus on the AI Data Supply Chain: Enhance privacy and data protection by ensuring dataset transparency and accountability throughout the entire lifecycle of data. This includes a call for regulatory frameworks that address data privacy comprehensively across the data supply chain. 3.) Flip the Script on Personal Data Management: Encourage the development of new governance mechanisms and technical infrastructures, such as data intermediaries and data permissioning systems, to automate and support the exercise of individual data rights and preferences. This strategy aims to empower individuals by facilitating easier management and control of their personal data in the context of AI. by Dr. Jennifer King Caroline Meinhardt Link: https://lnkd.in/dniktn3V

All risk is enterprise risk. Cybersecurity Risk Management (CSRM) must be part of Enterprise Risk Management (ERM). Many companies think managing cyber risks is: ╳ Just an IT problem. ╳ Isolated from other risks. ╳ A low-priority task. But in reality, it is: ☑ A key part of the entire risk strategy. Here are the key steps to integrate cybersecurity risk into enterprise risk management: 1. Unified Risk Management ↳ Integrating CSRM into ERM helps handle all enterprise risks effectively. 2. Top-Level Involvement ↳ Top management must be involved in managing cyber risks along with other risks. 3. Contextual Consideration ↳ Cyber risks should be considered in the context of the enterprise's mission, financial, reputational, and technical risks. 4. Aligned Risk Appetite ↳ Align risk appetite and tolerance between enterprise management levels and cybersecurity systems. 5. Holistic Approach ↳ Adopt a holistic approach to identify, prioritize, and treat risks across the organization. 6. Common Risk Language ↳ Establish a common language around risk that permeates all levels of the organization. 7. Continuous Improvement ↳ Monitor, evaluate, and adjust risk management strategies continuously. 8. Clear Governance ↳ Ensure clear governance structures to support proactive risk management. 9. Digital Dependency ↳ Understand how cybersecurity risks affect business continuity, customer trust, and regulatory compliance. 10. Strategic Enabler ↳ Prioritize risk management as both a strategic business enabler and a protective measure. 11. Risk Register ↳ Use a unified risk register to consolidate and communicate risks effectively. 12. Organizational Culture ↳ Foster a culture that values risk management as important for achieving strategic goals. Integrating cybersecurity risk into enterprise risk management isn't just a technical task. It's a strategic necessity. 💬 Leave a comment — how does your company handle cyber risk? ➕ Follow Andrey Gubarev for more posts like this

Isabel Barberá: "This document provides practical guidance and tools for developers and users of Large Language Model (LLM) based systems to manage privacy risks associated with these technologies. The risk management methodology outlined in this document is designed to help developers and users systematically identify, assess, and mitigate privacy and data protection risks, supporting the responsible development and deployment of LLM systems. This guidance also supports the requirements of the GDPR Article 25 Data protection by design and by default and Article 32 Security of processing by offering technical and organizational measures to help ensure an appropriate level of security and data protection. However, the guidance is not intended to replace a Data Protection Impact Assessment (DPIA) as required under Article 35 of the GDPR. Instead, it complements the DPIA process by addressing privacy risks specific to LLM systems, thereby enhancing the robustness of such assessments. Guidance for Readers > For Developers: Use this guidance to integrate privacy risk management into the development lifecycle and deployment of your LLM based systems, from understanding data flows to how to implement risk identification and mitigation measures. > For Users: Refer to this document to evaluate the privacy risks associated with LLM systems you plan to deploy and use, helping you adopt responsible practices and protect individuals’ privacy. " >For Decision-makers: The structured methodology and use case examples will help you assess the compliance of LLM systems and make informed risk-based decision" European Data Protection Board